CN105025025A - Cloud-platform-based domain name active detecting method and system - Google Patents

Abstract

The invention provides a cloud-platform-based domain name active detecting method and system. The method includes (1) registering all processing micro engines in a cloud platform and initiating configuration parameters of the micro engines; (2) configuring and generating a domain name detection task and sending the task to the cloud platform; (3) scheduling the domain name detection task to a determined micro engine program and saving a task execution result to a FTP server in a text format after the program is implemented; (4) acquiring an execution result file from the FTP server and saving the analyzed execution result file to a data base. The active detecting system is constructed based on the method. According to the invention, cloud platform resources are employed for active detection of domain name security for operators in different regions and IPv4 segment DNS server determination can be implemented efficiently.

Description

A kind of domain name active detecting method and system based on cloud platform

Technical field

The present invention relates to a kind of active detecting method and system, be specifically related to a kind of domain name active detecting method and system based on cloud platform.

Background technology

Domain name system is the key components of the Internet, and domain name resources is the basic resource of the Internet, and domain name service is one of kernel service of the Internet, for most of internet, applications provides infrastructure service, plays the effect of nervous centralis.Along with the development of the Internet, various Internet service emerges in an endless stream, the domain name of several hundred million magnitude is applied registration, following domain name service facility also gets more and more, but due to the fragility of domain name system itself, it is usually by network attack and malicious exploitation, domain name is caused correctly to resolve, such as utilize its leak to carry out buffer memory to poison and cause part domain name mapping mistake, carrying out ddos attack to it makes its service extremely cause wide range of users access the Internet abnormal, has a strong impact on the stability of Internet service.Therefore, how detecting domain name running situation and safe condition is an important step during domain name service safe and stable operation ensures, for safeguarding internet security, promotes that its sound development is significant.

Method main at present in domain name safety detection has initiatively domain name to detect and passive domain name detects two kinds of modes, passive detection carrys out the DNS flowing of access data analysis process to obtaining at domain name system server side, record actual domain name access situation, mainly adopt in two ways in this at present: a kind of for analyze name server daily record, name server data are carried out mirror image analysis for mirror-image fashion by one.Initiatively domain name detects and mainly can detect domain name resolution server, obtain related resolution data and other server state data of certain domain name, at present to buffer memory recursion server, there are some active probe Method and kit fors the aspects such as authoritative server, based on single-point detection, it can not reflect that situation resolved by global domain name and name server, and instrumental function is relatively single separately, resource multiplex rate is low, detection inadequate resource, the problems such as systems axiol-ogy performance is not enough, in addition the restriction of accessing IP is carried out for some name servers, therefore single-point detection also cannot ensure and can carry out successful probe to all domain names, Distributed Multi detection has also come mainly with the multiple single-point detection of deployment at present, for some special characteristics and the application of DNSSEC technology, CDN causes the aspects such as domain name detection problem also not relate to.

Summary of the invention

In order to overcome above-mentioned the deficiencies in the prior art, the invention provides a kind of domain name active detecting method and system based on cloud platform, the present invention efficiently can complete Ipv4 section dns server and judge, carries out active detecting to crucial domain name kidnapping accident.

In order to realize foregoing invention object, the present invention takes following technical scheme:

Based on a domain name active detecting method for cloud platform, described method comprises the steps:

(1) each process micro engine is registered on cloud platform, initialization micro engine configuration parameter;

(2) configure and generate domain name Detection task, and sending it to cloud platform;

(3) execution cost domain name Detection task is to the Micro-Engine procedur of specifying, and is stored in ftp server after complete by task action result with text mode;

(4) from ftp server, obtain execution result file, and the described execution result file after resolving is stored in database.

Preferably, in described step (1), described configuration parameter comprises the destination server address of detection and the domain name of detection.

Preferably, in described step (2), described configuration domain name Detection task comprises the cycle of configuration task execution, the region needed for tasks carrying node and operator's resource information.

Preferably, in described step (3), when domain name Detection task is domain name service facility operation state-detection task, to all-IP v4 sector address according to region and operator carries out DNS COS, provide service scenario and service quality to detect, comprise the steps:

Step 401, the IPv4 section list IPLIST that will detect is set, and the region of required detection and operator's informaiton; Described IPLIST comprises IP1, IP2

Step 402, this task is issued to specify region and operator cloud platform nodes on;

Step 403, organize DNS sequence of message SQ, described SQ comprises DNS1 message, DNS2 message, DNS3 message, DNS4 message and DNS5 message, and wherein DNS1 message is the standard A type requests based on UDP, and the domain name of request is a.root-servers.net; DNS2 message is the standard A type requests based on UDP, and the domain name of request is a.dns.cn; DNS3 message is the standard C NAME type requests based on UDP, and the domain name of request is www.xxx.com; DNS4 message is the standard A type requests based on TCP, and the domain name of request is a.root-servers.net; DNS5 message is ask based on the DNSSEC of UDP;

Described standard A type requests is the IP request type of domain name;

Step 404, unlatching thread monitor 53 ports of UDP, wait the DNS response message of feedback to be obtained;

Step 405, according to IPv4 section list information successively IPv4 server address IP1, IP2 wherein ... 53 ports send DNS1 message in SQ, control transmission rate per second and be no more than 10000PPS;

Step 406, obtain DNS response message at watcher thread, analyze solution new record in its message Acknowledge be whether the parsing A of a.root-servers.net record and message object IP whether in IPLIST, if meet above condition, this IP is dns server;

Step 407, to determining that dns server IP sends DNS2, DNS3 message in SQ successively, whether the solution new record analyzed in its message Acknowledge correctly obtains corresponding record, if all obtain correct response record, be recursion server, if in respond flag field authoritative record identification value be 1 or RCODE field all mark REFUSED; this IP is authoritative server;

Step 408, the DNS4 message sent to dns server in SQ, analyze its message response situation, if obtain correct response, this server supports TCP, otherwise does not support;

Step 409, the DNS5 message sent to dns server in SQ, analyze RRSIG record case in the response of its message, obtain if correct, this server supports DNSSEC, otherwise does not support;

Step 410, send DNS2 message in SQ for several times to dns server, obtain time of delay and the number of success of feedback, calculate average retardation and respond into power;

Step 411, wait for 10 seconds after IP sends message and terminate micro engine process completing in whole IPLIST.

Preferably, in described step (3), when described Detection task is crucial domain name kidnapping accident Detection task, obtain the authorization server of this domain name, obtain corresponding resolving resource from this server again, carry out abduction according to resolving resource and detect, comprise the steps:

Step 501, obtain the authoritative record of domain name DOMAIN to be checked step by step from root name server a.root-servers.net, the final authorization server IP address obtaining this domain name;

Step 502, the category-A type request carrying out for domain name to be checked to described authorization server at the processing node of each operator in each region;

Step 503, each parsing A record obtained in Acknowledge, form the parsing IP list VLIST for domain name to be checked;

Step 504, carry out the category-A type request of domain name to be checked to dns server to be checked, obtain it and resolve IP result, and compare with the record in VLIST, if there is not this IP, carry out kidnapping accident record, described kidnapping accident record comprises the VLIST of dns server IP address, domain name, analytic value and foundation.

Preferably, in described step (3), when described Detection task is the domain name Detection task employing CDN service, domain name resources data analysis is utilized to utilize the characteristic of character, cluster to obtain the list of CDN domain name, and utilize this list to detect, comprise the steps:

Step 601, carry out second level domain extraction from the CNAME record domain name resources data, form second level domain mapping table, described mapping table comprises the second level domain of the second level domain of request, CNMAE and response;

Step 602, to response second level domain in comprise ' CDN ' character extraction of carrying out join in CDN service domain name list CDNLIST;

Step 603, cluster analysis is carried out to the second level domain of response, obtain the record that different request second level domain is mapped to identical second level domain, extract this domain name and join in CDN service domain name list CDNLIST;

Step 604, category-A type record to dns server request domain name to be checked, obtain the response record of this domain name, checks whether first bar response record is CNAME record, if not CNAME record then abandons; If CNAME record, then extract the second level domain of analytic value and mate with CDNLIST, the match is successful then for employing the domain name of CDN, otherwise be not.

Preferably, a kind of domain name active monitoring system based on cloud platform, described system comprises:

Micro engine administration module, for each process micro engine is registered to cloud platform, initialization micro engine configuration parameter;

Task generation module, for configuring and generating domain name Detection task, and sends it to cloud platform;

Cloud platform, for execution cost domain name Detection task to the Micro-Engine procedur of specifying, is stored in ftp server by task action result with text mode after complete;

Result treatment module, for obtaining execution result file from ftp server, and is stored into the described execution result file after resolving in database.

Preferably, described system also comprises micro engine storehouse, and described micro engine storehouse comprises:

Service state detects micro engine, for all-IP v4 sector address according to region and operator carries out DNS COS, provide service scenario and service quality to detect;

Crucial domain name kidnapping accident micro engine, for obtaining the authorization server of this domain name, then obtains corresponding resolving resource from this server, carries out abduction detect according to resolving resource;

Using the domain name of CDN service to detect micro engine, for utilizing domain name resources data analysis to utilize the characteristic of character, cluster to obtain the list of CDN domain name, and utilizing this list to detect;

Domain name server information gathers micro engine, for detecting name server to be checked, extracting characteristic fingerprint, analyzing name server basal conditions;

Caching record detects micro engine, for carrying out active probe to dns caching server, finding that domain name is recorded in current resource information on each caching server, comprising domain name mapping value, TTL information, and then obtaining the global buffer record of this domain name, the discovery for anomalous event provides basic data support;

Authority's record detects micro engine, for carrying out active probe to DNS authority server.

Compared with prior art, beneficial effect of the present invention is:

The present invention uses cloud platform resource to carry out the safe active detecting of domain name in each region operator, efficiently can complete Ipv4 section dns server to judge, single node 10Mbps bandwidth detection completes Ipv4 section needs the time short, active detecting is carried out to crucial domain name kidnapping accident, the domain name employing CDN service is detected, grasps hundreds of CDN service quotient field name.

Accompanying drawing explanation

Fig. 1 is a kind of domain name active detecting method flow diagram based on cloud platform provided by the invention

Fig. 2 is a kind of domain name active detecting system construction drawing based on cloud platform provided by the invention

Embodiment

Below in conjunction with accompanying drawing, the present invention is described in further detail.

As shown in Figure 1, a kind of domain name active detecting method based on cloud platform, concrete implementation step is as follows:

(1) be registered in cloud platform by each process micro engine, select the micro engine needing to use afterwards, its configuration parameter of initialization, configuration parameter comprises the destination server address of detection, the domain name etc. of detection;

(2) configure domain name Detection task, configuration task comprises selects the cycle of execution, the region needed for XM and operator's resource information etc.;

(3) configuring of task is issued to cloud platform, carries out this task of scheduled for executing by cloud platform, run Micro-Engine procedur and process, after complete, task action result is stored in ftp server with text mode;

(4) from ftp server, obtain execution result, the execution result after resolving is stored in database.

In said process, the processing procedure of step (3) Micro-Engine procedur is the committed step of the safe active detecting of domain name, the handling process of different Micro-Engine procedur is different, is described respectively below to domain name service facility operation condition detection method, crucial domain name kidnapping accident detection method, the concrete implementation step of domain name detection method that employs CDN service.

Domain name service facility operation state-detection needs all-IP v4 sector address foundation region and operator carries out DNS COS, provide service scenario and service quality to detect, and concrete implementation step is as follows:

Step S201, configuration domain name server information gather micro engine, arrange the IPv4 section list IPLIST that will detect, and comprise region and the operator's informaiton <IP1 of required detection, IP2, Province, ISP>;

Step S202, this task is issued to specify region and operator cloud platform nodes on, start to perform in time being dispatched to this task;

Step S203, organize DNS sequence of message SQ<DNS1DNS2DNS3DNS4DNS5 ... >, wherein DNS1 message is the standard A type requests based on UDP, and the domain name of request is a.root-servers.net; DNS2 message is the standard A type requests based on UDP, and the domain name of request is a.dns.cn; DNS3 message is the standard C NMAE type requests based on UDP, and the domain name of request is www.xxx.com; DNS4 message is the standard A type requests based on TCP, and the domain name of request is a.root-servers.net; DNS5 message is ask based on the DNSSEC of UDP, also can add the DNS message of other type in this sequence SQ;

Wherein standard A type requests is the IP request type of domain name;

Step S204, unlatching thread monitor UDP53 port, wait the DNS response message of feedback to be obtained;

Step S205, according to IPv4 section list information successively IPv4 server address IP1, IP2 wherein ... Deng 53 ports send DNS1 message in SQ, control transmission rate per second and be no more than 10000PPS;

Step S206, obtain DNS response message at watcher thread, whether be the parsing A of a.root-servers.net record, whether message object IP be included in IPLIST, if meet above condition, this IP is dns server if analyzing solution new record in its message Acknowledge;

Step S207, to determining that dns server IP sends DNS2, DNS3 message in SQ successively, whether the solution new record analyzed in its message Acknowledge correctly obtains corresponding record, if all obtain correct response record, be recursion server, if in respond flag field AA (authoritative record identification) whether value be 1 or the whole REFUSED of RCODE field mark, this IP be authoritative server;

Step S208, the DNS4 message sent to dns server in SQ, analyze its message response situation, if obtain correct response, this server supports TCP, otherwise does not support;

Step S209, the DNS5 message sent to dns server in SQ, analyze RRSIG record case in the response of its message, obtain if correct, this server supports DNSSEC, otherwise does not support;

Step S210, send DNS2 message in SQ for several times to dns server, obtain time of delay and the number of success of feedback, calculate average retardation and respond into power;

Step S211, wait for 10 seconds after IP sends message and terminate micro engine process completing in whole IPLIST;

Crucial domain name kidnapping accident detects and needs the authorization server obtaining this domain name, then obtains corresponding resolving resource from this server, and carry out abduction according to resolving resource and detect, concrete implementation step is as follows:

Step S301, to obtain authoritative NS record (the authorization server solution new record of DNS) of domain name DOMAIN to be checked step by step from root name server a.root-servers.net, finally obtain its authorization server IP address;

Step S302, the category-A type request carrying out for domain name to be checked to this authorization server at the processing node of each operator in each region;

Step S303, each parsing A record obtained in Acknowledge, form the parsing IP list VLIST for domain name to be checked, carry out the detection of subsequent step according to it;

Step S304, carry out the category-A type request of domain name to be checked to dns server to be checked, obtain it and resolve IP result, and compare with the record in VLIST, if there is no this IP then carry out the IP address of kidnapping accident record <DNS server, domain name, analytic value, according to VLIST>;

The domain name employing CDN service detects and first utilizes domain name resources data analysis to utilize the characteristic such as character, cluster to obtain the list of CDN domain name, and utilize this list to detect afterwards, concrete implementation step is as follows:

Step S401, carry out second level domain extraction from the CNAME record domain name resources data, form the second level domain > of the second level domain of second level domain mapping table < request, CNMAE, response;

Step S402, to response second level domain in comprise ' CDN ' character extraction of carrying out join in CDN service domain name list CDNLIST;

Step S403, cluster analysis is carried out to the second level domain of response, obtain the record that different request second level domain is mapped to identical second level domain, extract this domain name and join in CDN service domain name list CDNLIST;

Step S404, CDNLIST carry out manual intervention adjustment;

Step S405, category-A type record to dns server request domain name to be checked, obtain the response record of this domain name, checks whether first bar response record is CNAME record, if for CNAME records, abandoned; If be CNAME record, extract the second level domain of analytic value and mate with CDNLIST, the match is successful then for employing the domain name of CDN, otherwise be not.

As shown in Figure 2, a kind of domain name active detecting system based on cloud platform, this system comprises:

Micro engine administration module, for each process micro engine is registered to cloud platform, initialization micro engine configuration parameter;

Task generation module, for configuring and generating domain name Detection task, and sends it to cloud platform;

Cloud platform, for execution cost domain name Detection task to the Micro-Engine procedur of specifying, is stored in ftp server by task action result with text mode after complete;

Result treatment module, for obtaining execution result file from ftp server, and is stored into the described execution result file after resolving in database.

Micro engine module, comprising:

Service state detects micro engine, for all-IP v4 sector address according to region and operator carries out DNS COS, provide service scenario and service quality to detect;

Crucial domain name kidnapping accident micro engine, for obtaining the authorization server of this domain name, then obtains corresponding resolving resource from this server, carries out abduction detect according to resolving resource;

Using the domain name of CDN service to detect micro engine, for utilizing domain name resources data analysis to utilize the characteristic of character, cluster to obtain the list of CDN domain name, and utilizing this list to detect;

Domain name server information gathers micro engine, for detecting name server to be checked, extracting characteristic fingerprint, analyzing name server basal conditions;

Caching record detects micro engine, for carrying out active probe to dns caching server, finding that domain name is recorded in current resource information on each caching server, comprising domain name mapping value, TTL information, and then obtaining the global buffer record of this domain name, the discovery for anomalous event provides basic data support;

Authority's record detects micro engine, for carrying out active probe to DNS authority server.

Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit, although with reference to above-described embodiment to invention has been detailed description, those of ordinary skill in the field are to be understood that: still can modify to the specific embodiment of the present invention or equivalent replacement, and not departing from any amendment of spirit and scope of the invention or equivalent replacement, it all should be encompassed in the middle of right of the present invention.

Claims (8)

1., based on a domain name active detecting method for cloud platform, it is characterized in that, described method comprises the steps:

(1) each process micro engine is registered on cloud platform, initialization micro engine configuration parameter;

(2) configure and generate domain name Detection task, and sending it to cloud platform;

(3) execution cost domain name Detection task is to the Micro-Engine procedur of specifying, and is stored in ftp server after complete by task action result with text mode;

(4) from ftp server, obtain execution result file, and the described execution result file after resolving is stored in database.

2. detection method according to claim 1, it is characterized in that, in described step (1), described configuration parameter comprises the destination server address of detection and the domain name of detection.

3. detection method according to claim 1, is characterized in that, in described step (2), described configuration domain name Detection task comprises cycle that configuration task performs, region needed for tasks carrying node and operator's resource information.

4. detection method according to claim 1, it is characterized in that, in described step (3), when domain name Detection task is domain name service facility operation state-detection task, to all-IP v4 sector address according to region and operator carries out DNS COS, provide service scenario and service quality to detect, comprise the steps:

Step 401, the IPv4 section list IPLIST that will detect is set, and the region of required detection and operator's informaiton; Described IPLIST comprises IP1, IP2

Step 402, this task is issued to specify region and operator cloud platform nodes on;

Step 403, organize DNS sequence of message SQ, described SQ comprises DNS1 message, DNS2 message, DNS3 message, DNS4 message and DNS5 message, and wherein DNS1 message is the standard A type requests based on UDP, and the domain name of request is a.root-servers.net; DNS2 message is the standard A type requests based on UDP, and the domain name of request is a.dns.cn; DNS3 message is the standard C NAME type requests based on UDP, and the domain name of request is www.xxx.com; DNS4 message is the standard A type requests based on TCP, and the domain name of request is a.root-servers.net; DNS5 message is ask based on the DNSSEC of UDP;

Described standard A type requests is the IP request type of domain name;

Step 404, unlatching thread monitor 53 ports of UDP, wait the DNS response message of feedback to be obtained;

Step 405, according to IPv4 section list information successively IPv4 server address IP1, IP2 wherein ... 53 ports send DNS1 message in SQ, control transmission rate per second and be no more than 10000PPS;

Step 406, obtain DNS response message at watcher thread, analyze solution new record in its message Acknowledge be whether the parsing A of a.root-servers.net record and message object IP whether in IPLIST, if meet above condition, this IP is dns server;

Step 407, to determining that dns server IP sends DNS2, DNS3 message in SQ successively, whether the solution new record analyzed in its message Acknowledge correctly obtains corresponding record, if all obtain correct response record, be recursion server, if in respond flag field authoritative record identification value be 1 or RCODE field all mark REFUSED; this IP is authoritative server;

Step 408, the DNS4 message sent to dns server in SQ, analyze its message response situation, if obtain correct response, this server supports TCP, otherwise does not support;

Step 409, the DNS5 message sent to dns server in SQ, analyze RRSIG record case in the response of its message, obtain if correct, this server supports DNSSEC, otherwise does not support;

Step 410, send DNS2 message in SQ for several times to dns server, obtain time of delay and the number of success of feedback, calculate average retardation and respond into power;

Step 411, wait for 10 seconds after IP sends message and terminate micro engine process completing in whole IPLIST.

5. detection method according to claim 1, it is characterized in that, in described step (3), when described Detection task is crucial domain name kidnapping accident Detection task, obtain the authorization server of this domain name, obtain corresponding resolving resource from this server again, carry out abduction according to resolving resource and detect, comprise the steps:

Step 501, obtain the authoritative record of domain name DOMAIN to be checked step by step from root name server a.root-servers.net, the final authorization server IP address obtaining this domain name;

Step 502, the category-A type request carrying out for domain name to be checked to described authorization server at the processing node of each operator in each region;

Step 503, each parsing A record obtained in Acknowledge, form the parsing IP list VLIST for domain name to be checked;

Step 504, carry out the category-A type request of domain name to be checked to dns server to be checked, obtain it and resolve IP result, and compare with the record in VLIST, if there is not this IP, carry out kidnapping accident record, described kidnapping accident record comprises the VLIST of dns server IP address, domain name, analytic value and foundation.

6. detection method according to claim 1, it is characterized in that, in described step (3), when described Detection task is the domain name Detection task employing CDN service, domain name resources data analysis is utilized to utilize the characteristic of character, cluster to obtain the list of CDN domain name, and utilize this list to detect, comprise the steps:

Step 601, carry out second level domain extraction from the CNAME record domain name resources data, form second level domain mapping table, described mapping table comprises the second level domain of the second level domain of request, CNMAE and response;

Step 602, to response second level domain in comprise ' CDN ' character extraction of carrying out join in CDN service domain name list CDNLIST;

Step 603, cluster analysis is carried out to the second level domain of response, obtain the record that different request second level domain is mapped to identical second level domain, extract this domain name and join in CDN service domain name list CDNLIST;

Step 604, category-A type record to dns server request domain name to be checked, obtain the response record of this domain name, checks whether first bar response record is CNAME record, if not CNAME record then abandons; If CNAME record, then extract the second level domain of analytic value and mate with CDNLIST, the match is successful then for employing the domain name of CDN, otherwise be not.

7., based on a domain name active monitoring system for cloud platform, it is characterized in that, described system comprises:

Micro engine administration module, for each process micro engine is registered to cloud platform, initialization micro engine configuration parameter;

Task generation module, for configuring and generating domain name Detection task, and sends it to cloud platform;

Cloud platform, for execution cost domain name Detection task to the Micro-Engine procedur of specifying, is stored in ftp server by task action result with text mode after complete;

Result treatment module, for obtaining execution result file from ftp server, and is stored into the described execution result file after resolving in database.

8. detection system according to claim 7, it is characterized in that, described system also comprises micro engine storehouse, and described micro engine storehouse comprises:

Service state detects micro engine, for all-IP v4 sector address according to region and operator carries out DNS COS, provide service scenario and service quality to detect;

Crucial domain name kidnapping accident micro engine, for obtaining the authorization server of this domain name, then obtains corresponding resolving resource from this server, carries out abduction detect according to resolving resource;

Using the domain name of CDN service to detect micro engine, for utilizing domain name resources data analysis to utilize the characteristic of character, cluster to obtain the list of CDN domain name, and utilizing this list to detect;

Domain name server information gathers micro engine, for detecting name server to be checked, extracting characteristic fingerprint, analyzing name server basal conditions;

Caching record detects micro engine, for carrying out active probe to dns caching server, finding that domain name is recorded in current resource information on each caching server, comprising domain name mapping value, TTL information, and then obtaining the global buffer record of this domain name, the discovery for anomalous event provides basic data support;

Authority's record detects micro engine, for carrying out active probe to DNS authority server.